Tines Vulnerability Disclosure Program

Introduction

Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Highlights

Open Scope — Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure — Standard coordinated vulnerability disclosure practices.

Top Response Efficiency — This program's response efficiency is above 90%.

Response Times

• Average time to first response: 19 hours
• Average time to triage: 2 days, 20 hours
• Average time to resolution: 3 days, 9 hours

Guidelines

Please use the following paths for new account signup & login:

If you are using your HackerOne email alias or the X-HackerOne-Research header as outlined in the "Test Plan" section below, you will be redirected to the listed paths:

• https://login.tines.com/research/signup
• https://login.tines.com/research/login

You may also use the attached Burp Suite project setting config or add the provided ZAP replace config to your ZAP configuration.

Core Requirements:

• Do not disclose the vulnerability outside of the VDP
• Do not violate any laws
• Do not disrupt services (DoS/DDoS)
• Do not access, modify, or destroy any accounts or data that do not belong to you

Vulnerability Considerations:

When submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.

Regarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from.

Documentation Resources:

• https://www.tines.com/docs/quickstart/
• https://www.tines.com/api/welcome/
• https://www.tines.com/docs/actions/tools/run-script/
• https://www.tines.com/blog/python-tines-how-to-guide/
• https://www.tines.com/security/

Out of Scope

• HTTPS / TLS security headers suggestions
• Direct testing of 3rd parties
• SPF / DMARC / DKIM / DNSSEC suggestions
• Banner/version disclosure
• Social engineering / phishing / spam

Program Rules

• Please see the Test Plan below for information on account creation.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, only the first report received is triaged (provided that it can be fully reproduced).
• Only interact with accounts you own or with the explicit permission of the account holder.

Test Plan

• Users are able to sign up for a free account through the Tines website.
• All researchers are required to use their hacker email alias or the X-HackerOne-Research header when testing ([email protected]).
• Researchers using @gmail.com or any other domain other than their hacker email alias, without also using the provided headers, are subject to Tines account deletion and possible program exclusion.

Session Layer: HTTP Headers

Researchers must add headers to requests if not using the @wearehackerone.com email alias:

• "X-HackerOne-Research: [H1 username]"

Scope Exclusions

Core Ineligible Findings are out of scope.

---